Doctor Appointment System CVE-2025-50493
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attacker must first obtain a valid session token (AC:H); success yields full account access so C:H/I:H, with no availability impact (A:N), correcting the published A:H-only vector.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Doctor Appointment Management System v1 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Doctor Appointment Management System v1.0.0 stems from improper session invalidation in /doctor/change-password.php, where doctor account sessions are not terminated after a password change. A publicly available exploit code exists (GitHub, VasilVK), but there is no public exploit identified as actively exploited and it is not in CISA KEV. EPSS is low at 0.41% (33rd percentile), indicating limited real-world exploitation interest to date.
Technical ContextAI
The affected component is a PHP-based web application from PHPGurukul, a vendor of free/low-cost educational PHP+MySQL project templates. The root cause maps loosely to CWE-20 (Improper Input Validation) in the NVD record, but the described behavior - sessions remaining valid across a password change - is more precisely a session-management weakness (in the family of CWE-613 Insufficient Session Expiration / CWE-384 Session Fixation). In practice, change-password.php updates credentials without regenerating or invalidating existing PHP session identifiers, so a previously established session (or a captured PHPSESSID) continues to authenticate the doctor account even after the legitimate user rotates the password. CPE cpe:2.3:a:phpgurukul:doctor_appointment_management_system:1.0.0 identifies the exact affected build.
RemediationAI
No vendor-released patch identified at time of analysis; PHPGurukul has not published a fixed version for this issue. As specific compensating controls, modify /doctor/change-password.php to call session_regenerate_id(true) and destroy all prior server-side sessions immediately upon a successful password change, forcing re-authentication of every existing session (trade-off: the doctor is logged out of other devices). Enforce short session lifetimes and idle timeouts in the PHP session configuration to shrink the window a stale token remains usable, and set session cookies with HttpOnly, Secure, and SameSite attributes plus HTTPS-only transport to reduce the chance of token capture in the first place. Restrict network access to the /doctor/ administrative area (IP allow-listing or VPN) since this is a small-clinic application not intended for broad internet exposure. Consult the PoC at https://github.com/VasilVK/CVE/tree/main/CVE-2025-50493 to validate that your fix closes the exact path.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today